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Abstract. For any pair {X, Z) of correlated random variables we can 
think of Z as a randomized function of X. Provided that Z is short, one 
can make this function computationally efficient by allowing it to be only 
approximately correct. In folklore this problem is known as simulating 
auxiliary inputs. This idea of simulating auxiliary information turns out 
to be a powerful tool in computer science, finding applications in com¬ 
plexity theory, cryptography, pseudorandomness and zero-knowledge. In 
this paper we revisit this problem, achieving the following results: 

(a) We discuss and compare efficiency of known results, finding the flaw 
in the best known bound claimed in the TCCT4 paper ”How to Fake 
Auxiliary Inputs”. 

(b) We present a novel boosting algorithm for constructing the simula¬ 
tor. Our technique essentially fixes the flaw. This boosting proof is 
of independent interest, as it shows how to handle ’’negative mass” 
issues when constructing probability measures in descent algorithms. 

(c) Our bounds are much better than bounds known so far. To make the 
simulator (s, e)-indistinguishable we need the complexity O (s ■ 

in time/circuit size, which is better by a factor compared to 
previous bounds. In particular, with our technique we (finally) get 
meaningful provable security for the EUROCRYPT’09 leakage-resilient 
stream cipher instantiated with a standard 256-bit block cipher, like 
AES256. 

Our boosting technique utilizes a two-step approach. In the first step we 
shift the current result (as in gradient or sub-gradient descent algorithms) 
and in the separate step we fix the biggest non-negative mass constraint 
violation (if applicable). 


Keywords: simulating auxiliary inputs, boosting, leakage-resilient cryptogra¬ 
phy, stream ciphers, computational indistinguishability 

1 Introduction 

1.1 Simulating Correlated Information. 

Informal Problem Statement Let (X, Z) G X x Z he a pair of correlated 
random variables. We can think of .Z as a randomized function of Z. More 

* This work was partly supported by the WELCOME/2010-4/2 grant founded within 
the framework of the EU Innovative Economy Operational Programme. 



precisely, consider the randomized function h : X ^ Z, which for every x outputs 
0 with probability Pr[Z = z\X = x]. By definition it satisfies 

{X,h{X))^iX,Z) (1) 

however the function h is inejficient as we need to hardcode the conditional 
probability table of Z\X. It is natural to ask, if this limitation can be overcome 

Ql: Can we represent Z as an efficient function of XI 

Not surprisingly, it turns out that a positive answer may be given only in compu¬ 
tational settings. Note that replacing the equality in Equation (1) by closeness 
in the total variation distance (allowing the function h to make some mistakes 
with small probability) is not enough This discussion leads to the following 
reformulated question 

Ql’: Can we efficiently simulate Z as a function of X? 


Why it matters? Aside from being very foundational, this question is relevant 
to many areas of computer science. We will not discuss these applications in 
detail, as they are well explained in [.IP 14]. Below we only mention where such 
a generic simulator can be applied, to show that this problem is indeed well- 
motivated. 

(a) Complexity Theory. From the simulator one can derive Dense Model The¬ 
orem [RTTV08], Impagliazzo’s hardcore lemma [Imp95] and a version of 
Szemeredis Regularity Lemma [FK99]. 

(b) Cryptography. The simulator can be applied for settings where Z models 
short leakage from a secret state X. It provides tools for improving and 
simplifying proofs in leakage-resilient cryptography, in particular for leakage- 
resilient stream ciphers [JP14]. 

(c) Pseudorandomness. Using the simulator one can conclude results called chain 
rules [GWll], which quantify pseudorandomness in conditioned distribu¬ 
tions. They can be also applied to leakage-resilient cryptography. 

(d) Zero-knowledge. The simulator can be applied to represent the text ex¬ 
changed in verifier-prover interactions Z from the common input X [CLP 15]. 

Thus, the simulator may be used as a tool to unify, simplify and improve many 
results. Having briefly explained the motivation we now turn to answer the posed 
question, leaving a more detailed discussion of some applications to Section 1.6. 

^ Indeed, consider the simplest case Z = {0,1}, define X to be uniform over X = 
{0,1}", and take Z = f{X) where / is a function which is 0.5-hard to predict by 
circuits exponential in n, Then {X,h{X)) and {X,Z) are at least i-away in total 
variation 



1.2 Problem Statement 


The problem of simulating auxiliary inputs in the computational setting can be 
defined precisely as follows 

Given a random variables X € {0,1}" and correlated Z € {0,1}^, what 
is the minimal complexity Sh of a (randomized) function h such that the 
distributions of h(X) and Z are (e, s)-indistinguishable given X, that is 

\EB{X,h{X)) - EB{X,Z)\ < e 

holds for all (deterministic) circuits D of size s? 

The indistinguishability above is understood with respect to deterministic cir¬ 
cuits. However it doesn’t really matter for distinguishing two distributions, where 
randomized and deterministic distinguishers are equally powerful^. 

It turns out that it is relatively easy^ to construct a simulator h with a 
polynomial blowup in complexity, that is when 

Sh = poly (s,e"\2^) . 

However, more challenging is to minimize the dependency on This problem 
is especially important for cryptography, where security definitions require the 
advantage e to be possibly small. Indeed, for meaningful security e = or at 
least e = 2“"^° it makes a difference whether we lose e~^ or We will see later 
how much inefficient bounds here may affect provable security of stream ciphers. 

1.3 Related Works 

Original work of Jetchev and Pietrzak (TCC’14) The authors showed 
that Z can be “approximately” computed from X by an “efficient” function h. 

Theorem 1 ([JP14], corrected). For every distribution (X,Z) on {0,1}" x 
(0, lY o.nd every e, s, there exists a “simulator” h : (0,1}" —>■ (0,1}^ such that 

(a) {X,h{X)) and {X,Z) are (e, s)-indistinguishable 

(b) h is of complexity Sh = O (s • 2'^^e“'^) 

The proof uses the standard min-max theorem. In the statement above we correct 
two flaws. One is a missing factor of 2^. The second (and more serious) one is 
the (corrected) factor claimed incorrectly to be The flaws are discussed 
in Appendix A. 

^ If two distributions can be distinguished by a randomized circuit, we can fix a specific 
choice of coins to achieve at least the same advantage 
® We briefly sketch the idea of the proof: note first that it is easy to construct a 
simulator for every single distinguisher. Having realized that, we can use the min- 
max theorem to switch the quantifiers and get one simulator for all distinguishers. 



Vadhan and Zheng (CRYPTO’13) The authors derived a version of Theorem 1 
but with incomparable bounds 

Theorem 2 ([VZ13]). For every distribution X,Z on {0,1}" x {0,1}^ and 
every e, s, there exists a “simulator” h : {0,1}" —>■ {0,1}^ such that 

(a) {X,h{X)) and (X, Z) are (s,e)-indistinguishable 

(b) h is of complexity Sh = O (s • + 2^6“"*) 

The proof follows from a general regularity theorem which is based on their uni¬ 
form min-max theorem. The additive loss of O (2^e“'*) appears as a consequence 
of a sophisticated weight-updating procedure. This error is quite large and may 
dominate the main term for many settings (whenever s <C e~^). 

As we show later, Theorem 2 and Theorem 1 give in fact comparable security 
bounds when applied to leakage-resilient stream ciphers (see Section 1.6) 


1.4 Our Results 

We reduce the dependency of the simulator complexity Sh on the advantage e to 
only a factor of e“^, from the factor of e~'^. 

Theorem 3 (Our Simulator). For every distribution X, Z on (0,1}" x {0,1}^ 
and every e, s, there exists a “simulator” h : {0,1}" —>■ {0,1}^ such that 

(a) {X^h{X)) and {X,Z) are (s^ e)-indistinguishable 

(b) h is of complexity Sh = O (s • 2®^e“^) 

Below in Table 1 we compare our result to previous works. 


Author 

Technique 

Advantage 

Size 

Cost of simulating 

[.IP14] (Theorem 1) 

Min-Max 



Sh = o (s ■ 

[VZ13] (Theorem 2) 

Complicated Boosting 

e 

s 

Sh = O (s ■ 2'- jF' + 2^e“^) 

This paper (Theorem 3) 

Simple Boosting 



Sh = O (s . 2“e-^) 


Table 1. The complexity of simulating Abit auxiliary information given required in- 


distinguishability strength, depending on the proof technique. 


Our result is slightly worse in terms of dependency £, but outperforms pre¬ 
vious results in terms of dependency on e~^. However, the second dependency 
is more crucial for cryptographic applications. Note that the typical choice is 
sub-logarithmic leakage, that is £ = o(loge“^) is asymptotic settings^ (see for 
example [CLP 15]). Stated in non-asymptotic settings this assumption translates 
to £ < cloge“^ where c is a small constant (for example c = ^ see [Pic09]). In 
these settings, we outperform previous results. 

This is a direct consequence of the fact that we want £ fits poly-preserving reductions 
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To illustrate this, suppose we want to achieve security e = simulating 
just one bit from a 256-bit input. As it follows from Table 1, previous bounds 
are useless as they give the complexity bigger than 2 ^®® which is the worst 
complexity of all boolean functions over the chosen domain. In settings like 
this, only our bound can be applied to conclude meaningful results. For more 
concrete examples of settings where our bounds are even only meaningful, we 
refer to Table 2 in Section 1.6. 

1.5 Our Techniques 

Our approach utilizes a simple boosting technique: as long as the condition (a) 
in Theorem 3 fails, we can use the distinguisher to improve the simulator. This 
makes our algorithm constructive with respect to oracle answers, similarly to 
other boosting proofs. In short, if we find D such that 

E d(a:, Z) - E D(A:, h{X)) > e 

then we construct h' according to the equation® 

Pr[/i'(a;) = z] = Pi[h{x) = z]+^ ■ Shift (D(a:, z)) + Corr(a;, z) 


where 

(a) The parameter 7 is afixed step chosen in advance (its optimal value depends 
on e and i and is calculated in the proof.) 

(b) Shift (D(a;, z j) is a shifted version of D, so that J2z (D(a;, z)) = 0. This 
restriction correspond to the fact that we want to preserve the constraint 

h{x, z) = 1. More precisely. Shift (D(a:, z)) = D(a;, z) — E^/^y^ D(a;, z) 

(c) Corr(a;, z) is a eorrection term used to fix (some of) possibly negative weights. 

The procedure is being repeated in a loop, over and over again. The main tech¬ 
nical difficulty is to show that it eventually stops after not so many iterations. 

Note that in every such a step the complexity cost of the shifting term is 
O ( 2 ^ • size(D))®. In our solution, the correction term does a search over z looking 
for the biggest negative mass, and redistributes it over the remaining points. 
Intuitively, it works because the total negative mass is getting smaller with 
every step. See ?? 1 for a pseudo-code description of the algorithm and the rest 
of Section 3 for a proof. 

1.6 Applications 

Better security for the EUROCRYPT’09 stream cipher. The hrst con¬ 
struction of leakage-resilient stream cipher was proposed by Dziembowski and 
Pietrzak in [DP08]. On Figure 1 below we present a simplified version of this 
cipher [Pic09], based on a weak pseudorandom function (wPRF). 

® As we already mentioned, we can assume that D is deterministic without loss of 
generality. Then all the terms in the equation are well-defined. 

® By definition, it requires computing the average of D( 2 ;, •) over 2^ elements 
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Fig. 1. The EUROCRYPT’09 stream cipher (adaptive leakage). F denotes a weak 
pseudorandom function. By Ki and Xi we denote, respectively, values of the secret 
state and keystream bits. Leakages are denotted in gray with Li. 


Jetchev and Pietrzak in [JP14] showed how to use the simulator theorem to 
simplify the security analysis of the EUROCRYPT’09 cipher. The cipher security 
depends on the complexity of the simulator as explained in Theorem 1 and 
Remark 1. We consider the following setting: 

— number of rounds q = 16, 

— F instantiated with AES256 (as in [.JP14]) 

— cipher security we aim for e' = 

— A = 3 bits of leakage per round 

The concrete bounds for [q, e', s')-security of the cipher (which roughly speaking 
means that q consecutive outputs is (s', e')-pseudorandom, see Section 2 for a 
formal definition) are given in Table 2 below. We ommit calculations as they 
are merely putting parameters from Theorem 1, Theorem 2 and Theorem 3 into 
Remark 1 and assuming that AES as a weak PRE is (e, s)-secure for any pairs 
s/e ~ 2^ (following the similar example in [.IP 14]). 


Analysis / Authors 

wPRF security 

Leakage 

Advantage t 

Size s' 

[.IP 14] (Theorem 1) 




0 

[VZ13] (Theorem 2) 

256 

A = 3 

2-40 

0 

this paper (Theorem 3) 




266 


Table 2. The security of the EUROCRYPT’09 stream cipher, instantiated with 
AES256 as a weak PRE of rouhgly k = 256 bits of security. In this settngs only 
our new bounds provide non-trivial bounds. 

















More generaly, we can give the following comparison of security bounds for 
different wPRF-based stream ciphers, in terms of time-sccess ratio. The bounds 
in Table 3 follow from the simple lemma in Section 4, which shows how the 
time-success ratio changes under explicit reduction formulas. 


Cipher 

Analysis 

Proof techniques 

Security level 

Comments 

(1) 

[Pie09] 

Pseudoentropy chain rules 

k' < i/c 

large number of blocks 

(1) 

[.IP14] 

Aux. Inputs Simulator (corr.) 

TmTfe ^ \ 


(1) 

[VZ13] 

Aux. Inputs Simulator 



(1) 

This work 

Aux. Inputs Simulator 



(2) 

[FPS12] 

Pseudoentropy chain rules 

fc' Ri 1 - |A 

large public seed 

(3) 

[TSl.'i] 

Square-friendly apps. 

fc' ~ 1 - |a 

only in minicrypt 


Table 3. Different bounds for wPRF-based leakage-resilient stream ciphers, k is the se¬ 
curity level of the underlying wPRF. The value k' is the security level for the cipher, un¬ 
derstood in terms of time-success ratio, the numbers denote: (1) The EUROCRYPT’09 
cipher, (2) The CSST0/CHESST2 cipher, (3) The CT-RSAT3 cipher. 


1.7 Organization 

In Section 2 we discuss basic notions and definitions. The proof of Theorem 3 
appears in Section 3. 


2 Preliminaries 

2.1 Basic Notions 

Let V be a finite set, and V he a class of deterministic real functions on V. For 
any two real functions /i, /2 on V, we say that /i, /2 are (P, e)-indistinguishable 
if 


VD € X) : 


E D(:r)-/i(x)- E D(:r) •/ 2 (:r)) 


< e 


If V consists of all circuits of size s we say that /i, /2 are (s, e)-indistinguishable. 


2.2 Stream ciphers definitions 

We start with the definition of weak pseudorandom functions, which are com¬ 
putationally indistinguishable from random functions, when queried on random 
inputs and fed with uniform secret key. 

Definition 1 (Weak pseudorandom functions). A function F : {0,1}^ x 
{0,1}" {0,1}"* is an [e, s,q)-secure weak PRF if its outputs on q random 

inputs are indistinguishable from random by any distinguisher of size s, that is 

|Pr [D ((XOLi , F((iL, W)Li) = 1] - Pr [D ((W)Li , (^OLi) = 1]K ^ 















where the probability is over the choice of the random Xi {0,1}", the choice 
of a random key K ■<— {0,1}^ and Ri ■<— {0,1}™ conditioned on Ri = Rj if 
Xi = Xj for some j < i. 

Stream ciphers generate a keystream in a recursive manner. The security requires 
the output stream should be indistinguishable from uniform'. 

Definition 2 (Stream ciphers). A stream-cipher SC : {0,1}^ —> {0,1}^ x 
{ 0 , 1 }"' is a function that need to be initialized with a secret state So G { 0 , 1 }^ 
and produces a sequence of output blocks Xi,X 2 ,... computed as 

{S,,X,) :=SC(5,_i). 

A stream cipher SC is (e, s, q)-secure if for alll ^ i ^ q, the random variable Xi 
is (s, e)-pseudorandom given Xi, ...,Xi-i (the probability is also over the choice 
of the initial random key Sq). 

Now we define the security of leakage resilient stream ciphers, which follow the 
“only computation leaks” assumption. 

Definition 3 (Leakage-resilient stream ciphers). A leakage-resilient stream- 
cipher is {e, s,q, X)-secure if it is {e, s,q)-secure as defined above, but where 
the distinguisher in the j-th round gets A bits of arbitrary deceptively chosen 
leakage about the secret state accessed during this round. More precisely, before 
{Sj,Xj) := SC{Sj-i) is computed, the distinguisher can choose any leakage func¬ 
tion fj with range {0,1}^, and then not only get Xj, but also Aj := fj{Sj-i), 
where Sj-i denotes the part of the secret state that was modified (i.e., read 
and/or overwritten) in the computation SC(S'j_i). 

2.3 Security of leakage-resilient stream ciphers. 

Best provable secure constructions of leakage-resilient stream ciphers are based 
on so called weak PRFs, primitives which look random when queried on random 
inputs ([Pic09,FPS12,,JP14,DP10,YS13]). The most recent (TCCT4) analysis is 
based on a version of Theorem 1 . 

Theorem 4 (Proving Security of Stream Ciphers [JP14]). If F is a 

{eF,SF,‘X)-secure weak PRF then SC^ is a {e', s', q, X)-secure leakage resilient 
stream cipher where 

e' = Aq\/eP2A, s'= 0{l) ■ . 

Remark 1 (The exact complexity loss). The inspection of the proof in [.JP14] 
shows that s f equals the complexity of the simulator h in Theorem 1 applied to 
the class of all circuits of size s', where e is replaced by e'. 

We note that in a more standard notion the entire stream Xi ,... , Xq is indistin¬ 
guishable from random. This is implied by the notion above by a standard hybrid 
argument, with a loss of a multiplicative factor of q in the distinguishing advantage. 





2.4 Time-Success Ratio 


The running time (circuit size) s and success probability e of attacks (practical 
and theoretical) against a particular primitive or protocol may vary. For this 
reason Luby [LM94] introduced the time-success ratio ^ as a universal measure 
of security. This model is widely used to analyze provable security, cf. [BL13] 
and related works. 

Definition 4 (Security by Time-Success Ratio [LM94]). A primitive P 
is said to be 2^^-secure if for every adversary with time resources (circuit size in 
the nonuniform model) s, the success probability in breaking P (advantage) is at 
most e < s ■ 2“^. We also say that the time-success ratio of P is 2^, or that is 
has k bits of security. 

For example, AES with a 256-bit random key is believed to have 256 bits of 
security as a weak PRF®. 


3 Proof of Theorem 3 


For technical convenience, we attempt to efficiently approximate the conditional 
probability function Pi[Z = z\X = x\ rather than building the sampler directly. 
Once we end with building an efficient approximation h{x,z), we transform it 
into a sampler hs\m which outputs z with probability h{x, z) (this transformation 
yields only a loss of 2^). We are going to prove the following fact 

For every function g on X x Z which is a T-conditional probability mass 
function over Z (that is g{x,z) ^ 0 for all x,z and = 1 for 

every x), and for every class T) closed under complements® there exists 
h such that 

(a) /i is a T-conditional probability mass function over Z 

(b) h is of complexity Sh = 0(2'*^e“®) with respect to V 

(c) {X,Z) and (X,/isim(Ar)) are indistinguishable, which in terms of g 
and h means 


^ [T)(x,z)-{g(x,z)-h{x,z))\ 




( 2 ) 


The sketch of the construction is shown in ?? 1. Here we would like to point out 
two things. First, we stress that we do not produce a strictly positive function; 
what our algorithm guarantees, is that the total negative mass issmall. We will 
see later that this is enough. Second, our algorithm performs essentially same 
operations for every x, which is why its complexity depends only on Z. 

For simplicity (and without losing generality) we assume X = {0,1}” and 
Z = {0,1}^. We also denote for shortness Y){x,z) = D{x,z) — D{x,z') 

for any D (the ’’shift” transformation) 


® We consider the security of AES256 as a weak PRF, and not a standard PRF, because 
of non-uniform attacks which show that no PRF with a fc-bit key can have s/e « 2*’ 
security [DTT09], at least unless we additionally require e 
® This is a standard assumption in indistinguishability proofs. We can always extend 
the class by adding — D for every D € O, which increases the complexity only by 1. 





Algorithm 1: Construct a Simulator 


input : Function g : {0,1}" x {0,1}^ —>■ [0,1], accuracy paramter e > 0, 
class V, step 7 

output: Function h which is e-indistinguishable from g under D, add up to 
1 for every x, and with total negative mass smaller 7|2p 

1 t -s— 0 

h°{x, z) <— for every x and « 

while exists D € D such that 'D{x,z) ■ (g(x,z') — h*(a;,2'))] ^ e 

do /* while the simulator is not good enough */ 

2 D*+i ^ D 

for z' G Z do /* improve the simulator towards the 

distinguisher direction */ 

3 h^'^^{x,z') <— h^{x,z') + ~/ ■'D*^^{x,z') 

4 t ■i^t+l 
m <— 0 

for z G Z do /* locate the biggest negative point mass */ 

5 if h^ixyz') < m then 

6 m -G- h*(x, z') 

— , / 
z z 

7 h^{x,z~) = 0 /* cut the biggest negative mass */ for z' G Z do 

8 1^ h^{x, z') <—h*'{x, z') + /* redestribute the cut mass */ 

9 return h* (a;, t) 


Proof. Consider the functions hf. Define t) hf{x,z) + t). 

According to ?? 1, we have 

z) = h*(x, z) + j ■ z) + 9*~^^{x, z) (3) 

with the correction term t) that be computed recursively as (see ?? 1 

in ?? 1) 

0^’°{x,z) = 0 

f - min (h\x,z)+j- (a;, t), 0 J , if t = zC„(x) 

ri — / 1 \ t — n 1 

< min(?>*(^.4i„(D))+D‘+^(x,4,„(x)),0) . t , . ’ 

I -^^ 

( 4 ) 

where z^^^{x) is one of the points t minimizing h*{x, 2 ;)+D ^ {x, z). In particular 
h\x,zl^i^{x)))+B^~^\x,zl^i^{x)) <0 ^^3z : h\x, z) + {x, z) < 0 (5) 


Notation : for notational convenience we indenify the functions D {x, z), d^{x, z), 
h*{x, z) and h*{x, z) with matrices where x are columns and z are rows. 





Claim 1 (Complextity of ?? 1). T executions of the “while loop” can be realized 
with time O {T ■ \Z\ ■ size(X>)) and memory 0{\Z\). 

This claim describes precisely resources required to compute the function for 
every T. In order to bound T, we define the energy function as follows: 

Claim 2 (Energy function). Define the auxiliary function 


t-i 

= V 


/ E 

x^X L 

i=0 


D:+' ■ {g, - hi) 


( 6 ) 


Then we have = Ei + E 2 where 


El — 

E 2 = 


{K -h°)-gx + ^ ELo -kY {{Kf - YlY) 
- Utl • {gx - - Etd ^x+" ■ - K) 


(7) 


The proof is based on simple algebraic manipulations and appears in Appendix B. 


Remark 2 (Technical issues and intuitions). From Equation (7) it is clear that 
we need two important properties 

(a) Boundedness of correction terms, that is ideally \0'‘(x.z)\ = 0(poly(|Z|) - 7 ). 

(b) Acute angle between the correction and the error, that is • {gx — hi) ^ 0. 

Below we present an outline of the proof, discussing more technical parts in the 
appendix. 


Proof outline. Indeed, with these assumptions we can prove that 
E 1 +E 2 (poly(|Z|) • (ty + 7 “^)) . 

Since in the other hand we have te ^ Z\‘, setting 7 = e/poly(|Z) we get that 
the algorithm terminates after at most T = poly(|S|)e“^ steps. We stress that it 
outputs only a signed measure, not a probability distribution. However, because 
of property (a) the negative mass is only of order poly(|Z|)e and the function 
we end with can be simply rescaled (we replace negative masses by 0 and nor¬ 
malize the function dividing by a factor 1 — m where m is the total negative 
mass). With this transformation, we replace the expected advantage 0(e) by 
slightly worse O (poly(|Z|)e). We can then replace e to get a clear dependency. 
Finally, we need to remember that we construct only a probability distribution 
function, not a sampler. Transforming it into a sampler yields an overhead of 
0{Z). This discussion shows that it is possible to build a sampler of complexity 
poly(|Z|)e“^. A more carefull inspection of the proof shows that we can actually 
achieve 
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The RAM model 








Technical Discussion We note that condition (b) somehow means that mass 
cuts should go in the right direction, as it is much simpler to prove that ?? 1 
terminates when there are no correction terms 0 *; thus we don’t want to go in 
a wrong direction and ruin the energy gain. Concrete bounds on properties (a) 
and (b) are given in Claims 3 and 4. 

In ?? 1 in every round we shift only one negative point mass (see ?? 1). 
However, since this point mass is chosen to be as big as possible and since 
and differ only by a small term 7 • except the mass shift 0 *+^, one 

can expect that we have the negative mass under control. Indeed, this is stated 
precisely in Claim 3 below. 

Claim 3 (The total negative mass is small). Let 

NegativeMass(/i*(a;, •)) = — min(fe*(cc, z), 0) 

Z 

be the total negative mass in h*{x, z) as the function of z. Then we have 

NegativeMass(/i‘(a;, •) < |Z|^ 7 . ( 8 ) 

for every x and every t. 

The proof is based on a recurrence relation that links NegativeMass(/i*“''^(x, •) 
with NegativeMass(/i*(a;, •), and appears in Appendix C. 

Claim 4 (The angle formed by the correction and the difference vector is acute). 
For every x, t we have Angle (0*+^, — h^ff^) e [—§,§]■ 

The proof appears in Appendix D. 


4 Time-success ratio under algebraic transformations 


In Lemma 1 below we provide a quantitative analysis of how the time-success 
ratio changes under concrete formulas in security reductions. 

Lemma 1 (Time-success ratio for algebraic transformations). Let a,b,c 
and A, B, C be positive constants. Suppose that P' is secure against adversaries 
(s',e'), whenever P is secure against adversaries (s, e), where 


s' = s-c€^ - be-^ 
e' = ae^. 

In addition, suppose that the following condition is satisfied 

AifC + 1. 

Then the following is true: if P is 2^-secure, then P' is 2^ -secure (in the sense 


( 9 ) 


( 10 ) 


of Definition 4 ) where 


k' = < B+C+i 


B+C+l 
A 


(log c — log b) — log a, 6^1 


cTT^ + ^logc-loga. 


6 = 0 


( 11 ) 




The proof is elementary though not immediate. It can be found in [Skol5]. 

Remark 3 (On the technical condition (10 ) ). This condition is satisfied in almost 
all applications, at in the reduction proof typically e' cannot be better (meaning 
higher exponent) than e. Thus, quite often we have A ^ 1. 
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A More on the flaw in [JP14] 


In the original setting we have Z = {0,1}^. In the proof of the claimed better 
bound O (s • there is a mistake on page 18 (eprint version), when the 

authors enforce a signed measure to be a probability measure by a mass shifting 
argument. The number M defined there is in fact a function of x and is hard 
to compute, whereas the original proof amuses that this is a constant indepen¬ 
dent of X. During iterations of the boosting loop, this number is used to modify 
distinguishers class step by step, which drastically blows up the complexity (ex¬ 
ponentially in the number of steps, which is already polynomial in e). In the 
min-max based proof giving the bound O (s • a fixable flaw is a missing 

factor of 2^ in the complexity (page 16 in the eprint version), which is because 
what is constructed in the proof is only a probability mass function, not yet a 
sampler [Piel5]. 


B Proof of Claim 2 


We can rewrite Equation (6) as 


Z\* = - E 

y Xr^X 


= - E 

y Xr^X 




. 2=0 

t-l 


E • (dx -K)-J2 ■ i9x - hi) 


. 2=0 


2=0 


( 12 ) 






First, note that 


i^O 

t-1 

= {hi-h°)-g,-Y,K-{K+^-K) 

i=0 

1 

= {K -h°)-g. + -Y^ {K+^ - K) ■ - K) + 

z^O 

i^O 

= {hi - h°) • 5. + i E ^ ((^^)' - (^°)') 

i^O 

(13) 


As to the second term in Equation (12), we observe that 


-E • (5- -K)=-^ e' ■ (5x - hl+^) - E 01+^ ■ {hl+^ - hi) (14) 

i—0 i—0 i—0 


C Proof of Claim 3 


Proof (Proof of Claim 3). We start by comparing the total negative mass in 
the functions /i‘+^ = /i* + and h*. Suppose first that h^{x,zo) < 0 

where zq = zC^{x). Since J2z^zo ~ ^ ~ ^o), there exists Zi such 

that h*~^^(x, zi) ^ ^ Combining this with Equation (4) we obtain 


hf''^^{x, Zi) = h^'^^{x, zi) + 


h*+^{x,zo) 

| Z |-1 


1 

1 ^1-1 


(15) 





By ?? we have 


^ min (/i*+i(x,z), 0 ) = E min (h^+^{x,z)+ e*+\x,z),0^ 

zG2 z^Z 

= ^ min (h*+\x,z) + ^ + 

zG2\{zo.2i} V 11/ 

+ min ^ 

> E fmin(/.‘-(.,.), 0 ) + ^!^f^) 

2<^2:\{zo.^i} V ' ' / 

+ min(^*''‘^(x, zq), 0 ) — h*~'~^{x, zq) + min {}i*'^^{x, Zi), 0 ^ 

= min(^*+i(a;, z), 0 ) - ^ (16) 

where the inequality line follows from /i‘+^(a;, Zq) < 0 and Equation (15). But 
by the definition of z^^^{x) in ?? we get 

h*+'^{x, zo) ^ min (h*+^{x, z), o) (17) 

Combining Equation (16) and Eqnation (17) we obtain 

-^min(/i*+i(x,z), 0 ) ^ - (l- ( 121 ^ 1 ) 2 ) E™’^ ■ ( 1 ^) 

262 : ''II 1 ^ zez 

Since \h*^^{x, z) — h*{x, z)| < 7 by Equation (3), we get the following recursion 
-^min(/i*+^(a;,z),0) < - (l - ^ ^ min (/i‘(a;, z), O) + |Z |7 

(19) 

which can be rewritten as 

NegativeMass (li‘+^(x, •)) < (^1 — NegativeMass (/i‘(a::, •)) + \Z\^. (20) 

which is in addition trivially true if A*+^(a:, z) ^ 0 for all z. The result follows 
by expanding this recursion till t = 0 . 

D Proof of Claim 4 

Proof. If 0‘+^(a:, z) = 0 then there is nothing to prove. Suppose that 0‘+^(a:, z) < 
0. Let zo = z^ijj(x). According to Equation (4) we have 0*+^(x, zq) = —/i‘+^(x, zo) 










and z) = ^ ^ Therefore 


• (ff. - = -h*^\x, zo) (g(x, zo) - h*+\x, zo)) + 

+ J2 ^ | 2 :[-’ 1 °^ ' ~ ^)) 

z^zo 

= -h*+\x,Zo) (g{x,zo) -h^+^{x,Zo)^ 

_ h Zo) _ J^t+l (-2;^) 

and 

-0‘+i . 0‘+i = (a:, zo) ■ h^+\x, zo) (^1 + ■ (22) 

Putting Equations (21) and (22) together we obtain 

• {Ox - hi+^) = 0‘+i • (g, - hl+^) - 0‘+i • 

= - (l + |_g|^_ h*+^{x, Zo) ■ g{x, Zo) 

which is positive because h*''"{x, zo) < 0 and g{x, zq) ^ 0. This proves Claim 4. 







